Encrypting Data in EVS
Overview
In case your services require encryption for the data stored on disks in Elastic Volume Service (EVS), EVS provides you with the encryption function. You can encrypt newly created EVS disks. Keys used by encrypted EVS disks are provided by KMS of DEW, secure and convenient. Therefore, you do not need to establish and maintain the key management infrastructure.
Disk encryption is used for data disks only. System disk encryption relies on the image. For details, see Encrypting Data in IMS.
Who Can Use the Disk Encryption Function?
- Security administrators (users having Security Administrator rights) can grant the KMS access rights to EVS for using disk encryption.
- When a common user who does not have the Security Administrator rights needs to use the disk encryption feature, the condition varies depending on whether the user is the first one ever in the current region or project to use this feature.
- If the user is the first, the user must contact a user having the Security Administrator rights to grant the KMS access rights to EVS. Then, the user can use the disk encryption feature.
- If the user is not the first, the user can use the disk encryption function directly.
From the perspective of a tenant, as long as the KMS access rights have been granted to EVS in a region, all users in the same region can directly use the disk encryption feature.
If there are multiple projects in the current region, the KMS access rights need to be granted to each project in this region.
Keys Used for EVS Disk Encryption
The keys provided by KMS for disk encryption include a Default Master Key and Customer Master Keys (CMKs).
- Default Master Key: A key that is automatically created by EVS through KMS and named evs/default.
The Default Master Key cannot be disabled and does not support scheduled deletion.
- CMKs: Keys created by users. You can use existing CMKs or create one. For details, see .
CMK Status |
Impact on Encrypted Disks |
Restoration Method |
---|---|---|
Disabled |
|
|
Pending deletion |
||
Deleted |
Data on the disks can never be restored. |
You will be charged for the CMKs you use. If basic keys are used, ensure that your account balance is sufficient. If professional keys are used, renew your order timely. Otherwise, your services may be interrupted and your data may never be restored as the encrypted disks become unreadable and unwritable.
Using KMS to Encrypt a Disk (on the Console)
- On the EVS management console, click Buy Disk.
- Select the Encryption check box.
- Click More. The Encryption check box is displayed.
Figure 1 More
- Create an agency.
Select Encrypt. If EVS is not authorized to access KMS, the Create Agency dialog box is displayed. In this case, click Yes to authorize it. After the authorization, EVS can obtain KMS keys to encrypt and decrypt disks.
Before you use the disk encryption function, KMS access rights need to be granted to EVS. If you have the right for granting, grant the KMS access rights to EVS directly. If you do not have the right, contact a user with the Security Administrator rights to grant the KMS access rights to EVS, then repeat the preceding operations.
- Set encryption parameters.
Select Encrypt. If the authorization succeeded, the Encrypt Setting dialog box is displayed.Figure 2 Encryption settings
Select either of the following types of keys from the KMS Key Name drop-down list:
- Default Master Key. After the KMS access rights have been granted to EVS, the system automatically creates a Default Master Key named evs/default.
- An existing or new CMK. For details about how to create one, see .
- Click More. The Encryption check box is displayed.
- Configure other parameters for the disk. For details about the parameters, see .
Using KMS to Encrypt a Disk (Through an API)
You can call the required API of EVS to purchase an encrypted EVS disk. For details, see Elastic Volume Service API Reference.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.